19 July

Group-IB is investigating a new daring attack by MoneyTaker: hackers try to steal $1 mln from the bank

Group-IB, one of the global leaders in preventing high-tech crimes and providing high-fidelity threat intelligence and anti-fraud solutions, is conducting incident response on an attack on PIR Bank (Russia), which resulted in the theft of 1 million US dollars, conducted by MoneyTaker hacking group. Funds were stolen on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. After that, the criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by Group-IB incident responders.

According to Kommersant newspaper, PIR Bank lost around $920,000 (which is a conservative estimate) from their correspondent account at the Bank of Russia. PIR Bank officially confirmed the attack initially, adding at that time they were unable to determine the exact amount of losses. PIR staff managed to delay withdrawal of some stolen funds, but it is clear that most are lost. In order to respond to the incident, PIR Bank staff engaged Group-IB.

During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents.

Olga Kolosova

Chairman of the Board at PIR Bank

After studying infected workstations and servers at the financial institution, Group-IB forensic specialists collected irrefutable digital evidence implicating MoneyTaker in the theft. In particular, the experts discovered specific tools and techniques that had been used earlier by MoneyTaker to attack banks, as well as the IP addresses of their C&C servers. Recommendations for prevention of similar attacks has been circulated to financial institutions that are Group-IB’s clients and partners, including the Central Bank of Russia. MoneyTaker is a criminal group specializing in targeted attacks on financial institutions, which was investigated by Group-IB experts in December 2017 in their analytic report called MoneyTaker: 1.5 Years of Silent Operations. These hackers are mainly focused on card processing and interbank transfer systems (AWS CBR and SWIFT).

What happened at PIR Bank?

From Incident Response, Group-IB confirmed that the attack on PIR Bank started in late May 2018. The entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

To establish persistence in the banks’ systems and automate some stages of their attack, the MoneyTaker group traditionally use PowerShell scripts. This technique was analyzed in detail by Group-IB experts in their December report. When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance.

On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system — they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation.
Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.

«This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks — Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) — have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.»

Valeriy Baulin

Head of Digital Forensics Lab Group-IB

Who are MoneyTaker and why is it so difficult to catch them?

The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost 4 months and only attacked banks in Russia in September 2016. In these instances, their target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the U.S. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.

MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks.

It is evident that MoneyTaker is one of the top threat to the banks all over the world. In connection with the incident in PIR Bank, Group-IB gave recommendations to security departments of financial institutions on how to minimize the danger presented by MoneyTaker. Since the entry point in most successful attacks conducted by this group was routers, it is first necessary to check if you have the up-to-date firmware, test systems for brute-force vulnerabilities and detect changes in router configuration in a timely manner.

According to the Group-IB report published in December, at that time, MoneyTaker had conducted 16 attacks in the U.S., five attacks on Russian banks and one attack on an banking software company in the UK. The average damage caused by one attack in the U.S. amounted to $500,000. In Russia, the average amount of money withdrawn is 1.2 million USD per incident. In addition to money, the criminals steal documents about interbank payment systems needed to prepare for subsequent attacks. Incident response and investigations continue.